The original report of the technology cloud.
From a security perspective, cyberspace is full of viruses, hackers, and vulnerabilities. In the past, enterprises used to use the "old three" - firewalls, IDS, and anti-virus software to get security.
If cyberspace is compared to a building, then the firewall is equivalent to the door lock, which is used to isolate the internal and external networks or different security domains, IDS is equivalent to the monitoring system, which generates alarms in time when problems occur, and antivirus software is equivalent to the security personnel who patrol and ensure the safety of the building, and can find problems and take measures based on experience.
However, in the new cyber security situation, the "old three" have long been inadequate.
Ransomware attacks have been the number one threat to security in recent years, and they are getting more rampant every year.
According to the 2024 Ransomware Review: Analysis of Unit 42 Leaked Websites, published by cybersecurity firm Palo Alto Networks, there has been a 49% increase in the number of victims reported by ransomware leaked websites, with victims covering at least 120 countries around the world.
For some new ransomware viruses with no-kill features, antivirus software cannot detect ransomware attacks at all, let alone prevent ransomware attacks, and cannot crack the encryption keys.
Phishing attacks are also rapidly escalating, moving from traditional email to everyday use on WeChat. When an enterprise employee or individual user is deceived into scanning the code to jump to a page or join a group in WeChat, the hacker will directly fish the control terminal, and then spread the Trojan.
These Trojans only exist in the memory of mobile phones, and the network traffic also passes through the mobile phone network rather than the internal network of the enterprise, so the firewalls, IDS, and anti-virus software installed in the computers deployed by the enterprise are not aware of the existence of these network risks at all.
Not only that, cyber attackers are still constantly improving and innovating attack techniques, such as APT attacks, supply chain attacks and other advanced attack methods, and traditional security defense methods are completely ineffective.
In the face of the escalating network security situation, more and more security experts have put forward new security concepts such as "defense in depth", "active defense", "all-round monitoring and early warning", and "linkage emergency response".
What are the key technologies behind these concepts, and how can enterprises apply them to security practice?
Build a new generation of basic security protection system
In recent years, there have been a number of "nuclear bomb-level" cyber attacks around the world, targeting key basic industries such as finance, energy, transportation, and industry, while industries such as healthcare, education, government, and manufacturing are also the focus of cyber attacks due to their particularity.
From the perspective of cyber attack and defense, it is very easy for hackers to find a breakthrough in a certain organization. On the contrary, it is an almost impossible task for an organization with tens of thousands of assets to guard every threshold.
But that doesn't mean the defenders have to "lie flat". With the support of the new security concept, more and more organizations have begun to "lay the foundation" again and build a new generation of basic security protection system.
For example, in recent years, the Ministry of Water Resources of the People's Republic of China has clearly put forward a technical architecture system of "hierarchical and in-depth defense of compliance, monitoring and early warning of all-round perception, basic protection of classified policies, and rapid linkage of emergency response".
Cai Yang, former director of the Information Center of the Ministry of Water Resources
According to Cai Yang, former director of the Information Center of the Ministry of Water Resources, the Ministry of Water Resources has carried out construction in three aspects in terms of network basic security defense:
First, there is a hierarchical basic security defense for compliance, which is based on DJCP 2.0 to achieve multi-level protection of the physical environment, communication network, regional boundary, and computing environment.
The second is to build intensive and unified security basic services to improve the baseline of the overall network security of the industry, such as: unified identity authentication, unified cryptography services, unified intelligence services, application security baseline management, sharing and exchange services;
The third is to strengthen the key protection of key foundations, and adopt different defensive measures for different types of services, such as: network class is to strengthen the protection of traffic detection and strengthen the perimeter, application class is to strengthen the business integration algorithm model, data class is based on the whole life cycle protection, and industrial control class is to build a secure and trustworthy environment.
CCCG, which is also a large-scale infrastructure company, has undertaken many large-scale national strategic projects, such as the Hong Kong-Zhuhai-Macao Bridge and the South China Sea Island Reclamation, which was included in the Entity List by the United States in 2020 and has been continuously attacked by foreign political hackers over the years.
As a large and complex organization with 170,000 employees, 110,000 terminals, 6,000 hosts, and more than 1,000 information systems distributed around the world, CCCG regards security protection construction as the top priority.
Liu Xuezhong, Assistant General Manager of the Science and Technology and Digitalization Department and Director of the Cyber Security Division of CCCG
According to Liu Xuezhong, assistant general manager of the science and technology and digitalization department and director of the network security department of CCCG, CCCG's basic security protection has built six lines of defense:
The first is the cloud protection platform; the second is the Internet exit, which is heavily controlled by the unified construction export; the third is the WAN boundary, which is built by the whole group and controls more than 380 WAN boundary firewalls of the whole group in order to avoid breaking through the roaming of the whole network; the fourth is the construction of the intranet security domain of the headquarters & units; the fifth is the protection of the whole group by the unified security protection platform; and the sixth is the security awareness of people.
In fact, building a security foundation is only the first step.
In a recent security meeting, Liu Xuezhong, director of CCCG, reflected: "Can the group's network security system truly meet the needs of normalized security protection? Can it meet the needs of large-scale high-threat hostile attacks in specific scenarios?"
Cai Yang, former director of the Information Center of the Ministry of Water Resources, also said at the meeting, "Construction is one thing, and operation is more difficult and more important for us."
All of this points to the construction of security operation capacity on top of basic protection, which is the key to the normalization and actual combat of security.
Build the core capabilities of practical security operations
When the construction of the network security protection system is no longer a simple stacking of equipment, but focuses on the actual security operation capability, the operation management mechanism and security technology will become a two-wheel drive, jointly promoting the improvement of the organization's actual security capability.
For example, on the basis of the integrated network security protection platform, CCCG has opened up business processes around "asset management, vulnerability management, and threat event management" to solve the problems of systems being independent of each other, data cannot be shared, and business processes are fragmented, so as to form a synergistic effect.
On the whole, it not only realizes the visibility and standardization of the security protection process, greatly improves the work efficiency and quality, but also promotes the continuous improvement of the maturity of security operations through the improvement of business processes and risk assessment capabilities.
In the Ministry of Water Resources, an integrated water conservancy satellite perception decision-making and command system is built to support safe operations driven by algorithm models, and threat intelligence is used as the core to improve actual attack and defense capabilities.
Among them, the integrated threat perception decision-making and command system, with big data as the core, builds subsystems such as dynamic asset management, three-dimensional monitoring and collection, business integration modeling, intelligent analysis and decision-making, and standardized incident handling.
According to Cai Yang, former director of the Information Center of the Ministry of Water Resources, hundreds of millions of pieces of data and thousands of security alarms were generated in the past day, and there was no way to deal with them manually.
Now through this system, there are only about 35 normal safety alarms, and the effect of manual intervention is very obvious.
At the same time, through the collection, production, inquiry, and sharing of network security threat intelligence, a joint prevention and control mechanism for water conservancy network security has been built, and practice and testing have been carried out through offensive and defensive drills, so as to continuously improve the ability of actual combat.
Cai Yang said that the construction of threat intelligence mainly includes two aspects: one is to establish a water conservancy network security intelligence center, and the other is to build a joint prevention and control mechanism for the industry. This requires not only privatization of intelligence production, but also the collection of intelligence through multiple channels, as well as the linkage, sharing, and traceability of intelligence information.
For example, it has connected with the security command platform of the Cyberspace Administration of China, the phishing email sharing platform, and the Ministry of Public Security to obtain intelligence, and cooperated with network security vendors such as Weibu Online to improve the industry's threat detection capabilities, and provide anti-investigation and traceability analysis support for malicious attacks and security incidents, so as to better grasp the internal and external security situation.
It is not difficult to find that in large organizations such as CCCG and the Ministry of Water Resources, threat intelligence is the key to building an active security defense system and improving security operation capabilities.
Fan Xinghua, a technology partner of Weibu Online, pointed out that in the past two years, the focus of enterprise security operations has evolved from "threat" to "risk", and intelligence capabilities are the key to achieving efficient risk discovery and elimination.
Not only that, the explosion of AI large model technology has also further promoted the upgrading of security operation capabilities.
At present, the Ministry of Water Resources of the People's Republic of China is actively exploring large-scale model security GPT. By deploying threat detection GPT and security operation GPT locally, training with tens of millions of data samples in the cloud, and connecting with the water conservancy network security decision-perception threat perception platform, the detection and analysis capabilities of security threats are improved.
As a leading threat intelligence manufacturer, Weibu Online recently further demonstrated Weibu's "Intelligence Intelligence Brain XGPT" at the conference.
Since the adoption of generative AI filing in January this year, XGPT has achieved multiple capability iterations and upgrades, can associate 100+ data sources and 8 analysis engines in real time, accurate knowledge Q&A and threat analysis, accelerate incident analysis and disposal, and is fully open to the Weibu X security intelligence community, becoming a powerful assistant for enterprise security operations.
Xue Feng, founder and CEO of Weibu Online
As Xue Feng, founder and CEO of Weibu Online, said, in cyberspace, "discovery" is the core capability of security, rather than blind protection.
Based on big data and artificial intelligence, threat intelligence and security models constitute a new productivity for network security, and the traditional "old three" are gradually evolving to NDR, next-generation gateways, and EDR, constituting a new basic security.
epilogue
A new era calls for new methods of warfare.
With the continuous evolution and complexity of cyber attack methods, traditional security defense methods have long been ineffective, and the capacity building of security operation system combining peacetime and wartime has become the core idea of current security construction in many industries.
In general, security operations need to be combined with various actual application scenarios and existing security capabilities of the organization, docking with the professional security capabilities of vendors, and then making them truly effective through management and processes, so as to become more efficient and measurable.
【About Technology Cloud Report】
Focus on the original, enterprise-level content expert - science and technology cloud reporting. Founded in 2015, it is one of the top 10 media in the cutting-edge enterprise IT field. It has been recognized by the Ministry of Industry and Information Technology (MIIT) and is one of the official designated communication media of Trusted Cloud and Global Cloud Computing Conference. In-depth original reports on cloud computing, big data, artificial intelligence, blockchain and other fields.